[TYPO3] kb_md5fepw + forgot password -> Email Verification?
Gebhardt Thomas
gebhardt at hrz.uni-marburg.de
Tue Oct 10 10:05:11 CEST 2006
Hi,
just trying to make a login form using the extensions
newloginbox + kb_md5fepw + sr_feuser_register .
When a user forgets her/his password and clicks on the 'forgot password'
link, a new password is generated and sent to the email address supplied in
the form.
This feature may be misused, however. Anyone who can guess the email
address of other users can trigger a password change, which is annoying
at least.
Is there an obvious and easy way to prevent people changing the password
of other user, such as sending a verification email before the password change
actually takes place? I did not find a corresponding config option, however.
(But I'm pretty sure that I'm not the first one who deals with that problem,
so changes are good that a solution has already been implemented)
I noticed that the email address in the 'forgot password' form is case
sensitive while the input box in the registration field is not. I don't know
the rationale behind this behavior. One could, however, register with an
email address like jOn.dOE at eXAmple.cOM, which is not easy to guess,
thus preventing others changing the password. But People who can
memorize such strange email addresses usually also remember
their passwords :-)
Thanks for any hint, Thomas
More information about the TYPO3-english
mailing list